Secure client-server communication
US11165890B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Jan 23, 2020 |
| Grant date | Nov 2, 2021 |
| Priority date | — |
| Expiry date | Jan 23, 2040 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04W4/02
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
A secure client-server connection method compatible with RESTful (REpresentational State Transfer) APIs (Application Programming Interface) that is resistant to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The server generates a token for the client and a random value which it pairs with the token. The random value is hashed. The hash value is transmitted to the client contained in the token and the random value is transmitted to the client contained in an HTTPOnly cookie. Even if an attacker steals the token and/or the hash, security is maintained, since the server verifies communications from the client by validating the token on the basis of its hash value. Validation is performed by the server hashing the random value contained in the HTTPOnly cookie paired with the token to obtain a further hash value, and checking that this further hash value matches the token's hash value.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.